22
AVSECURITY. IN MONGODB SECURITY REVIEW DOCUMENT v1.0.0 - 11-08-2015 Author: Vinesh Redkar AVsecurity.in Published Date: 11th August 2015
AVSECURITY.IN
MONGODB SECURITY REVIEW
DOCUMENT v1.0.0 - 11-08-2015
Author: Vinesh Redkar
AVsecurity.in
Published Date: 11th August 2015
MongoDB Security Review Document
Authored by Vinesh Redkar | 2
1 TABLE OF CONTENTS
1 TABLE OF CONTENTS ............................................................................................................................................................. 2
2 MONGODB SECURITY SUMMARY .......................................................................................................................................... 3
2.1 OBJECTIVE ............................................................................................................................................................................ 3
2.2 ACKNOWLEDGEMENTS ............................................................................................................................................................. 3
3 SECURITY REVIEW OF MONGODB ......................................................................................................................................... 4
3.1 PATCHING AND SOFTWARE UPDATES ........................................................................................................................................... 4
3.1.1 PATCHING AND SOFTWARE UPDATES ................................................................................................................................................. 4
3.2 AUTHENTICATION ................................................................................................................................................................... 5
3.2.1 MONGODB AUTHENTICATION ......................................................................................................................................................... 5 3.2.2 BYPASS AUTHENTICATION VIA LOCALHOST EXCEPTION ........................................................................................................................... 6 3.2.3 AUTHENTICATION IN SHARED CLUSTER ............................................................................................................................................... 7
3.3 ACCESS CONTROL ................................................................................................................................................................... 8
3.3.1 CONFIGURED ROLE BASED ACCESS CONTROL ....................................................................................................................................... 8 3.3.2 LIMIT NETWORK EXPOSURE ............................................................................................................................................................. 9 3.3.3 MONGODB ACCESS WITH A DEDICATED USER ................................................................................................................................... 10
3.4 DATA IN REST AND DATA IN MOTION ........................................................................................................................................ 11
3.4.1 ENCRYPT COMMUNICATION ........................................................................................................................................................... 11 3.4.2 ENCRYPT AND PROTECT DATA ........................................................................................................................................................ 12
3.5 AUDIT TRAIL ....................................................................................................................................................................... 13
3.5.1 AUDIT SYSTEM ACTIVITY ............................................................................................................................................................... 13 3.5.2 CONFIGURED AUDIT FILTERS .......................................................................................................................................................... 14
3.6 HARDENING PARAMETER ....................................................................................................................................................... 15
3.6.1 DISABLE HTTP STATUS INTERFACE................................................................................................................................................... 15 3.6.2 MONGODB ON DEFAULT PORT ..................................................................................................................................................... 16 3.6.3 RESOURCE LIMITS SET ................................................................................................................................................................... 17 3.6.4 SECURE CONFIGURATION OPTIONS - CONFIG - NOSCRIPTING ................................................................................................................. 18 3.6.5 SECURE CONFIGURATION OPTIONS - CONFIG - 'SYSTEMLOG.QUIET = FALSE' .............................................................................................. 19 3.6.6 SECURE CONFIGURATION OPTIONS - CONFIG - ' SYSTEMLOG.LOGAPPEND= FALSE' ...................................................................................... 20 3.6.7 SECURE CONFIGURATION OPTIONS - CONFIG - NET PARAMETER ............................................................................................................. 21
4 MORE INFORMATION ......................................................................................................................................................... 22
MongoDB Security Review Document
Authored by Vinesh Redkar | 3
2 MONGODB SECURITY SUMMARY
2.1 OBJECTIVE
This benchmark is intended for system security specialists, auditors who plan to develop secure
solutions. This document provides prescriptive guidance for establishing a secure configuration posture
for MongoDB Server. We have tried to cover all the necessary security points which need to verify while
performing audit on MongoDB server.
2.2 ACKNOWLEDGEMENTS
Author Details
Document Title MongoDB Configuration Review Document
Document Id MongoDB Configuration Review Document_v1.0
Prepared By Vinesh Redkar
Contact Me [email protected] @b0rn2pwn
Personal Web Site AVsecurity.in
Effective Date 10-08-2015
MongoDB Security Review Document
Authored by Vinesh Redkar | 4
3 SECURITY REVIEW OF MONGODB
3.1 PATCHING AND SOFTWARE UPDATES
3.1.1 PATCHING AND SOFTWARE UPDATES
DESCRIPTION
Patches are often released to address either security concerns or bugs that could be identified once the
product was already released.
TEST STEPS
Run the following commands to determine MongoDB Version:
db.version()
Run the following command on OS to determine if there are packages to be updated:
apt-get update
apt-get --just-print upgrade
REMEDIATION:
It is recommended to update the base operating system along with MongoDB database service.
Run the following command to update all packages on the system:
# apt-get upgrade
Upgrade to the Latest Revision of MongoDB
1. Before Upgrading please Backup of Data Set 2. Download the binaries for the latest MongoDB revision from the MongoDB Download Page and
store the binaries in a temporary location. The binaries download as compressed files that
extract to the directory structure used by the MongoDB installation. 3. Shutdown the instance. 4. Replace the existing MongoDB binaries with the downloaded binaries. 5. Restart the instance.
MORE INFORMATION:
MongoDB Upgrade Revision
http://docs.mongodb.org/manual/tutorial/upgrade-revision/
MongoDB Security Review Document
Authored by Vinesh Redkar | 5
3.2 AUTHENTICATION
3.2.1 MONGODB AUTHENTICATION
DESCRIPTION:
Authentication is the process of verifying the identity of a client. Authentication requires that all clients
and servers provide valid credentials before they can connect to the system.
TEST STEPS
Run the following command to verify the authentication is enabled or not on MongoDB Server:
Cat /etc/mongodb.conf | grep “Auth=”
Auth=False
Or
Cat /etc/mongodb.conf | grep “Auth=”
#Auth=True
Ensure that Auth value True.
Auth=True Authentication is enabled
Auth=False Authentication is disable.
REMEDIATION :
It is recommended to implement authentication mechanism before accessing MongoDB Server.
Steps to Enable Authentication Mechanism:
Start the MongoDB instance without authentication.
mongod --port 27017 --dbpath /data/db1
Create the system user administrator.
use admin
db.createUser(
{
user: "siteUserAdmin",
pwd: "password",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
Re-start the MongoDB instance with authentication enabled.
mongod --auth --config /etc/mongodb/mongodb.conf
MORE INFORMATION:
MongoDB Basic Configuration
https://www.mongodb.com/blog/post/improved-password-based-authentication-mongodb-30-scram-
explained-part-1
MongoDB Security Review Document
Authored by Vinesh Redkar | 6
3.2.2 BYPASS AUTHENTICATION VIA LOCALHOST EXCEPTION
DESCRIPTION:
Application should warn the administrator if MongoDB is set to bypass authentication via the localhost
exception. The localhost exception allows you to enable authorization before creating the first user in
the system.
(Note: The exception applies only when there are no users created in the MongoDB instance.)
TEST STEPS
To verify Localhost exception is enable or not on MongoDB run the following command:
cat /etc/mongod.conf |grep “enableLocalhostAuthBypass“
enableLocalhostAuthBypass=1
Ensure that enableLocalhostAuthBypass value 0. enableLocalhostAuthBypass= 1 Local user allowed to login without credential.
enableLocalhostAuthBypass= 0 Localhost user not allowed to login without credential.
REMEDIATION:
It is recommended to restrict Local host from accessing MongoDB database using localhost user.
Ensure that enableLocalhostAuthBypass value 0.
MORE INFORMATION:
LocalHost Exception
http://docs.mongodb.org/manual/core/authentication/#localhost-exception
MongoDB Security Review Document
Authored by Vinesh Redkar | 7
3.2.3 AUTHENTICATION IN SHARED CLUSTER
DESCRIPTION:
If authentication is enabled on a shared cluster, every client that accesses the cluster must provide
credentials. This includes MongoDB instances that access each other within the cluster.
TEST STEPS
Run the following command to verify keyfile parameter is configured or not:
Cat /etc/mongodb.conf | grep “keyFile=”
The content of the key file is arbitrary but must be the same on all cluster members.
REMEDIATION:
It is recommended to enable authentication in shared cluster.
1. Generated Key File
http://docs.mongodb.org/v2.4/tutorial/generate-key-file/#generate-key-file 2. On each component in the shared cluster, enable authentication by doing one of the following:
o In the configuration file /etc/mongodb.conf, set the keyFile option to the key file’s
path and then start the component
keyFile = /srv/mongodb/keyfile
3. When starting the component, set --keyFile option, which is an option for both mongos instances and mongod instances. Set the --keyFile to the key file’s path.
MORE INFORMATION:
Shared Cluster Authentication
http://docs.mongodb.org/v2.2/administration/sharded-clusters/
Generation of Key File
http://docs.mongodb.org/v2.4/tutorial/generate-key-file/#generate-key-file
MongoDB Security Review Document
Authored by Vinesh Redkar | 8
3.3 ACCESS CONTROL
3.3.1 CONFIGURED ROLE BASED ACCESS CONTROL
DESCRIPTION:
MongoDB employs Role-Based Access Control (RBAC) to govern access to a MongoDB system. A user is
granted one or more roles that determine the user’s access to database resources and operations.
Outside of role assignments, the user has no access to the system. MongoDB does not enable
authorization by default.
TEST STEPS
Connect to MongoDB with the appropriate privileges and run the following command:
mongo --port 27017 -u siteUserAdmin -p password --authenticationDatabase
databasename
Identify the user’s roles and privileges
db.getUser()
db.getRole()
Verify that the appropriate role for the user has been configured.
REMEDIATION:
It is recommended to configure users with proper roles. Please refer More Information link for the same.
MORE INFORMATION:
Manage User and Roles MongoDB
http://docs.mongodb.org/manual/tutorial/manage-users-and-roles/
MongoDB Security Review Document
Authored by Vinesh Redkar | 9
3.3.2 LIMIT NETWORK EXPOSURE
DESCRIPTION:
Ensure that MongoDB runs in a trusted network environment and limit the interfaces on which MongoDB
instances listen for incoming connections.
TEST STEPS
To verify the Limitation of Network Exposure are configured on MongoDB run the following command:
Verifying Limitation of Network Using MongoDB Configuration File
Cat /etc/mongod.conf |grep –A12 “net” | grep “bindIp“
AND
Verifying on Linux System:
iptables –L
OR
Verifying on Window System:
netsh advfirewall firewall show rule name=all
(Note: Please ensure that MongoDB port can only accessible from the Trusted
System.)
REMEDIATION:
It is recommended to limit the interfaces on which MongoDB instances listen for incoming connections.
MORE INFORMATION:
Restrict MongoDB Access on Linux and Windows
http://docs.mongodb.org/manual/tutorial/configure-linux-iptables-firewall/
http://docs.mongodb.org/manual/tutorial/configure-windows-netsh-firewall/
MongoDB Security Review Document
Authored by Vinesh Redkar | 10
3.3.3 MONGODB ACCESS WITH A DEDICATED USER
DESCRIPTION:
Running the MongoDB service using a non-dedicated, high-privilege account like root puts your
Operating System at unnecessary risk. Instead use a dedicated, special purpose account.
TEST STEPS
Extract the user configured on MongoDB Server
Connect MongoDB
mongo --port 27017 dbname
OR
mongo --port 27017 -u siteUserAdmin -p password --authenticationDatabase admin
List User and Role assigned (MongoDB)
db.getUser()
db.getRole(‘username’)
Ask MongoDB Server Administrator which user has been configured to access the database and verify
the role which was assigned for that particular user.
REMEDIATION:
It is recommended to create user MongoDB dedicated user for performing database activity.
Also Database data files, the keyfile and SSL private key files should only be readable by the mongod/mongos user.
Log files should only be writable by the mongod/mongos user and readable only by root.
MORE INFORMATION:
Manage User and Roles MongoDB
http://docs.mongodb.org/manual/tutorial/manage-users-and-roles/
MongoDB Security Review Document
Authored by Vinesh Redkar | 11
3.4 DATA IN REST AND DATA IN MOTION
3.4.1 ENCRYPT COMMUNICATION
DESCRIPTION:
Configure MongoDB to use TLS/SSL for all incoming and outgoing connections. Use TLS/SSL to encrypt
communication between mongod and mongos components of a MongoDB client as well as between all
applications and MongoDB.
New in version 3.0: Most MongoDB distributions now include support for SSL.
TEST STEPS
To verify the SSL Setting are configured on MongoDB run the following command:
mongos --config /etc/mongos.conf
or
cat /etc/mongos.conf | grep –A20 ‘net’ | grep –A10 ‘ssl’ | grep ‘mode’
Ensure that net.ssl.mode value requireSSL
Value Description
disabled The server does not use TLS/SSL.
allowSSL Connections between servers do not use TLS/SSL. For incoming connections, the server accepts both TLS/SSL and non-TLS/non-SSL.
preferSSL Connections between servers use TLS/SSL. For incoming connections, the server accepts
both TLS/SSL and non-TLS/non-SSL.
requireSSL The server uses and accepts only TLS/SSL encrypted connections.
REMEDIATION:
It is recommended to implement encrypt communication between mongod and mongos components of a
MongoDB client as well as between all applications and MongoDB.
MORE INFORMATION:
To use SSL in your MongoDB deployment:
http://docs.mongodb.org/manual/tutorial/configure-ssl/
MongoDB Security Review Document
Authored by Vinesh Redkar | 12
3.4.2 ENCRYPT AND PROTECT DATA
DESCRIPTION:
Encrypt MongoDB data on each host using file-system, device, or physical encryption. Protect MongoDB
data using file-system permissions. MongoDB data includes data files, configuration files, auditing logs,
and key files.
TEST STEPS
To verify Audit System Activity are configured on MongoDB run the following command:
Finding out the database location
cat /etc/mongod.conf |grep “dbpath“
dbpath=/var/lib/mongodb
Verify the Permission set for the Database File
#ls –l /var/lib/mongodb
Viewing Data using CAT command:
cat /var/lib/mongodb/file
REMEDIATION:
It is recommended to encrypt the data on rest.
There are two broad classes of approaches to encrypting data at rest with MongoDB:
Application Level Encryption provides encryption on a per-field or per-document basis within the application layer. To encrypt document or field level data, write custom encryption and decryption routines or use a commercial solution such as the Vormetric Data Security Platform.
Storage Encryption encrypts all MongoDB data on the storage or operating system to ensure
that only authorized processes can access protected data. A number of third-party libraries can integrate with the operating system to provide transparent disk-level encryption
o Linux Unified Key Setup (LUKS) o IBM Guardium Data Encryption o Vormetric Data Security Platform
o Bitlocker Drive Encryption
MORE INFORMATION:
Application Level Encryption
http://docs.mongodb.org/manual/core/security-introduction/#application-level-encryption
Storage Encryption
http://docs.mongodb.org/manual/core/security-introduction/#storage-encryption
MongoDB Security Review Document
Authored by Vinesh Redkar | 13
3.5 AUDIT TRAIL
3.5.1 AUDIT SYSTEM ACTIVITY
DESCRIPTION:
Track access and changes to database configurations and data. MongoDB Enterprise includes a system
auditing facility that can record system events (e.g. user operations, connection events) on a MongoDB
instance. These audit records permit forensic analysis and allow administrators to verify proper controls.
TEST STEPS
To verify Audit System Activity are configured on MongoDB run the following command:
Cat /etc/mongod.conf |grep –A4 “auditLog” | grep “destination“
destination: syslog
Ensure that auditLog.destination value syslog.
REMEDIATION:
It is recommended to set audit Log destination as syslog.
Value Description
syslog To enable auditing and print audit events to the syslog Command: mongod --dbpath data/db --auditDestination syslog
console To enable auditing and print the audit events to standard output (i.e. stdout), specify console
Command: mongod --dbpath data/db --auditDestination console
Json File
To enable auditing and print audit events to a file in JSON format Printing audit events to a file in JSON format degrades server performance more than
printing to a file in BSON format. Command: mongod --dbpath data/db --auditDestination file --auditFormat JSON --
auditPath data/db/auditLog.json
Bson File
To enable auditing and print audit events to a file in BSON binary format Command: mongod --dbpath data/db --auditDestination file --auditFormat BSON --
auditPath data/db/auditLog.bson
MORE INFORMATION:
Configure Auditing
http://docs.mongodb.org/manual/tutorial/configure-auditing/
MongoDB Security Review Document
Authored by Vinesh Redkar | 14
3.5.2 CONFIGURED AUDIT FILTERS
DESCRIPTION:
MongoDB Enterprise supports auditing of various operations. When enabled, the audit facility, by
default, records all auditable operations as detailed in Audit Event Actions, Details, and Results. To
specify which events to record, the audit feature includes the --auditFilter option.
TEST STEPS
To verify Audit System Activity are configured on MongoDB run the following command:
Cat /etc/mongod.conf |grep –A10 “auditLog” | grep “filter“
Ensure that filter value has been defined as per the business requirement.
REMEDIATION:
It is recommended to set Audit Filter based on the business requirement.
MORE INFORMATION:
Audit Message
http://docs.mongodb.org/manual/More Information/audit-message/
http://docs.mongodb.org/manual/More Information/program/mongos/#cmdoption--auditFilter
MongoDB Security Review Document
Authored by Vinesh Redkar | 15
3.6 HARDENING PARAMETER
3.6.1 DISABLE HTTP STATUS INTERFACE
DESCRIPTION:
Mongodb by default provides an http interface running by default on port 28017 which provides the
“home” status page.
TEST STEPS
To verify HTTP Status Interface Enable on MongoDB execute below command:
cat /etc/mongod.conf |grep “nohttpinterface”
nohttpinterface = False
Ensure that nohttpinterface value True.
nohttpinterface =True Disable
nohttpinterface =False Enable
REMEDIATION:
It is recommended to disable HTTP Status interface of MongoDB Server.
Set nohttpinterface =True in /etc/mongod.conf file
(Note: Ensure that the HTTP status interface, the REST API, and the JSON API are all disabled in
production environments to prevent potential data exposure and vulnerability to attackers.)
MORE INFORMATION:
No HTTP Interface
http://docs.mongodb.org/manual/More Information/configuration-options/#nohttpinterface
MongoDB Security Review Document
Authored by Vinesh Redkar | 16
3.6.2 MONGODB ON DEFAULT PORT
DESCRIPTION:
As the default ports created by MongoDB can provide a target for exploits by unauthorized users, the
ports should be changed according to the needs of the organization.
TEST STEPS
To verify port number on which MongoDB Configured execute below command:
cat /etc/mongod.conf |grep “port”
port=27017
Ensure that port value not set to default port which is 27017.
REMEDIATION:
It is recommended to change the default port for MongoDB Server.
MORE INFORMATION:
Default MongoDB Port
http://docs.mongodb.org/manual/More Information/default-mongodb-port/
MongoDB Security Review Document
Authored by Vinesh Redkar | 17
3.6.3 RESOURCE LIMITS SET
DESCRIPTION:
OS provide ways to limit and control the usage of system resources such as threads, files, and network
connections on a per-process and per-user basis.
These “ulimits” prevent single users from using too many system resources.
TEST STEPS
To verify Resource Limit Set on MongoDB execute below command:
Extracting process ID of MongoDB
ps -ef|grep mongod
Output
mongod 1322 1 4 Mar10 ? 01:16:22 /usr/bin/mongos -f
/etc/mongod.conf
Printing Process Limit
cat /proc/1322/limits
REMEDIATION:
It is recommended to set ulimt limit value:
Every deployment may have unique requirements and settings.
Recommended thresholds and settings are particularly important for MongoDB deployments:
f (file size): unlimited t (cpu time): unlimited v (virtual memory): unlimited [1]
n (open files): 64000
m (memory size): unlimited [1] [2] u (processes/threads): 64000
Restart your mongod and mongos instances after changing the ulimit settings to ensure that the
changes take effect.
MORE INFORMATION:
Ulimit Recommended Setting
http://docs.mongodb.org/manual/More Information/ulimit/#recommended-settings
MongoDB Security Review Document
Authored by Vinesh Redkar | 18
3.6.4 SECURE CONFIGURATION OPTIONS - CONFIG - NOSCRIPTING
DESCRIPTION:
MongoDB supports the execution of JavaScript code for certain server-side operations: mapReduce,
group, and $where.
TEST STEPS
Depend upon the business requirement this feature can be used. If it is not required it is advisable to
disable this disable server-side scripting
cat /etc/mongod.conf |grep –A10 “security” | grep “javascriptEnabled“
Ensure that javascriptEnabled value False.
javascriptEnabled =True Authentication is enabled
javascriptEnabled =False Authentication is disable.
REMEDIATION:
It is recommended to disable server-side scripting by using the --noscripting option on the
command line.
MORE INFORMATION:
Security JavaScript Enabled
http://docs.mongodb.org/manual/More Information/configuration-options/#security.javascriptEnabled
MongoDB Security Review Document
Authored by Vinesh Redkar | 19
3.6.5 SECURE CONFIGURATION OPTIONS - CONFIG - 'SYSTEMLOG.QUIET = FALSE'
DESCRIPTION:
SystemLog.quiet is not recommended for production systems as it may make tracking problems during
particular connections much more difficult.
TEST STEPS
To verify SystemLog.quiet Activity are configured on MongoDB run the following command:
cat /etc/mongod.conf |grep “SystemLog.quiet”
Ensure that SystemLog.quiet value False.
SystemLog.quiet =True Enabled
SystemLog.quiet =False Disable
REMEDIATION:
It is recommended to set SystemLog.quiet to False as it is not recommended in production system.
MORE INFORMATION:
Configuration Option
http://docs.mongodb.org/manual/More Information/configuration-options/
MongoDB Security Review Document
Authored by Vinesh Redkar | 20
3.6.6 SECURE CONFIGURATION OPTIONS - CONFIG - ' SYSTEMLOG.LOGAPPEND= FALSE'
DESCRIPTION:
The default value of systemLog.logAppend is set false that means the new entries of the log will be
overwritten in case restart of mongod or Mongols service.
When true, mongos or mongod appends new entries to the end of the log file rather than overwriting
the content of the log when the mongos or mongod instance restarts.
TEST STEPS
To verify SystemLog.quiet Activity are configured on MongoDB run the following command:
cat /etc/mongod.conf |grep “systemLog.logAppend”
Ensure that systemLog.logAppend value true.
systemLog.logAppend=True Enabled
systemLog.logAppend=False Disable
REMEDIATION:
It is recommended to set systemLog.logAppend to true.
MORE INFORMATION:
Configuration Option
http://docs.mongodb.org/manual/More Information/configuration-options/
MongoDB Security Review Document
Authored by Vinesh Redkar | 21
3.6.7 SECURE CONFIGURATION OPTIONS - CONFIG - NET PARAMETER
DESCRIPTION:
net.http.enabled
Enable or disable the HTTP interface. Enabling the interface can increase network exposure.
By default the value of net.http.enbled set to false.
net.http.JSONPEnabled
Enable or disable JSONP access via an HTTP interface. Enabling the interface can increase
network exposure. The net.http.JSONPEnabled option enables the HTTP interface, even if
the HTTP interface option is disabled.
By default the value of net.http.JSONPEnabled set to false.
net.http.RESTInterfaceEnabled
Enable or disable the simple REST API. Enabling the REST API enables the HTTP interface, even
if the HTTP interface option is disabled, and as a result can increase network exposure.
By default the value of net.http.RESTInterfaceEnabled set to false.
TEST STEPS
To verify the HTTP Interface is enable or disable:
Cat /etc/mongod.conf |grep –A12 “net” | grep –A10 “http“ | grep “enabled”
Cat /etc/mongod.conf |grep –A12 “net” | grep –A10 “http“ | grep “JSONPEnabled”
Cat /etc/mongod.conf |grep –A12 “net” | grep –A10 “http“ | grep
“RESTInterfaceEnabled”
Ensure that all values are set False.
True Enabled
False Disable
REMEDIATION:
It is recommended to set parameter value as defined in below mentioned table.
Parameter Name Default Value Recommended Value
net.http.enabled False False
net.http.JSONPEnabled False False
net.http.RESTInterfaceEnabled False False
MORE INFORMATION:
Configuration Option
http://docs.mongodb.org/manual/More Information/configuration-options/
MongoDB Security Review Document
Authored by Vinesh Redkar | 22
4 MORE INFORMATION
MongoDB Security
http://docs.mongodb.org/manual/security/
MongoDB Security Checklist
http://docs.mongodb.org/manual/administration/security-checklist/
